forked from open-cluster-management-io/policy-collection
-
Notifications
You must be signed in to change notification settings - Fork 32
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create a policy to automatically import discovered ROSA clusters
This policy monitors DiscoveredCluster resources for ROSA clusters and configures matching discovered clusters to be automatically imported. Status is shown for any that have been configured to be automatically imported. Filtering by the discovered cluster display name can be updated in the policy by editing the ConfigMap. Refs: - https://issues.redhat.com/browse/ACM-10304 Signed-off-by: Gus Parvin <[email protected]> (cherry picked from commit f3de3d9)
- Loading branch information
1 parent
8089c57
commit 1d2f118
Showing
2 changed files
with
102 additions
and
0 deletions.
There are no files selected for viewing
101 changes: 101 additions & 0 deletions
101
community/CM-Configuration-Management/policy-rosa-autoimport.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
apiVersion: policy.open-cluster-management.io/v1 | ||
kind: Policy | ||
metadata: | ||
name: policy-rosa-autoimport | ||
annotations: | ||
policy.open-cluster-management.io/standards: NIST SP 800-53 | ||
policy.open-cluster-management.io/categories: CM Configuration Management | ||
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration | ||
policy.open-cluster-management.io/description: Discovered clusters that are of | ||
type ROSA can be automatically imported into ACM as managed clusters. This | ||
policy helps you select those managed clusters and configure them so the import | ||
will happen. If you do not want all of your ROSA clusters to be automatically | ||
imported, you can configure filters or add an annotation. | ||
spec: | ||
remediationAction: inform | ||
disabled: false | ||
policy-templates: | ||
- objectDefinition: | ||
apiVersion: policy.open-cluster-management.io/v1 | ||
kind: ConfigurationPolicy | ||
metadata: | ||
name: policy-rosa-autoimport | ||
spec: | ||
remediationAction: inform | ||
severity: low | ||
object-templates-raw: | | ||
- complianceType: musthave | ||
objectDefinition: | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: discovery-config | ||
namespace: open-cluster-management-global-set | ||
data: | ||
rosa-filter: "" | ||
{{- /* find the ROSA DiscoveredClusters */ -}} | ||
{{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }} | ||
{{- /* Check for the flag that indicates the import should be skipped */ -}} | ||
{{- $skip := "false" -}} | ||
{{- range $key, $value := $dc.metadata.annotations }} | ||
{{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported") | ||
(eq $value "true") }} | ||
{{- $skip = "true" }} | ||
{{- end }} | ||
{{- end }} | ||
{{- /* if the type is ROSA and the status is Active */ -}} | ||
{{- if and (eq $dc.spec.status "Active") | ||
(contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "rosa-filter") $dc.spec.displayName) | ||
(eq $dc.spec.type "ROSA") | ||
(eq $skip "false") }} | ||
- complianceType: musthave | ||
objectDefinition: | ||
apiVersion: discovery.open-cluster-management.io/v1 | ||
kind: DiscoveredCluster | ||
metadata: | ||
name: {{ $dc.metadata.name }} | ||
namespace: {{ $dc.metadata.namespace }} | ||
spec: | ||
importAsManagedCluster: true | ||
{{- end }} | ||
{{- end }} | ||
- objectDefinition: | ||
apiVersion: policy.open-cluster-management.io/v1 | ||
kind: ConfigurationPolicy | ||
metadata: | ||
name: policy-rosa-managedcluster-status | ||
spec: | ||
remediationAction: inform | ||
severity: low | ||
object-templates-raw: | | ||
{{- /* Use the same DiscoveredCluster list to check ManagedCluster status */ -}} | ||
{{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }} | ||
{{- /* Check for the flag that indicates the import should be skipped */ -}} | ||
{{- $skip := "false" -}} | ||
{{- range $key, $value := $dc.metadata.annotations }} | ||
{{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported") | ||
(eq $value "true") }} | ||
{{- $skip = "true" }} | ||
{{- end }} | ||
{{- end }} | ||
{{- /* if the type is ROSA and the status is Active */ -}} | ||
{{- if and (eq $dc.spec.status "Active") | ||
(contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "rosa-filter") $dc.spec.displayName) | ||
(eq $dc.spec.type "ROSA") | ||
(eq $skip "false") }} | ||
- complianceType: musthave | ||
objectDefinition: | ||
apiVersion: cluster.open-cluster-management.io/v1 | ||
kind: ManagedCluster | ||
metadata: | ||
name: {{ $dc.spec.displayName }} | ||
namespace: {{ $dc.spec.displayName }} | ||
annotations: | ||
cluster.open-cluster-management.io/clusterset: default | ||
status: | ||
conditions: | ||
- type: ManagedClusterAvailable | ||
status: "True" | ||
{{- end }} | ||
{{- end }} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters